I have a Xenapp 6.5 Farm. PowerShell 2.0 with remote execution set on all servers. I am not getting any data in the following areas. We are running splunk version 6.0 and I have the latest forwarder on all the servers.
Server Performance
Zone Data
Also when I run go into maintenance and do a rebuild zone farm look up I get the following error
Could not write to file 'xa_zone_farm.csv': Failed to move file to final destination.
Any help with this would be very appreciated.
The reason why this is happening is most likely the bug SPL-40332 described here. Apparently it only affects Splunk running on Windows. Unfortunately this is still not fixed in Splunk 6.2.3.
Not fixed in 6.2.4 either. I'd really like to see the distribution of enterprises using Linux OS for Splunk architecture vs. Windows. Curious why this hasn't been addressed in multiple releases considering the implications of not being able to overwrite CSV lookup files on a schedule as the lookup tables get new data.
The only workaround I've found is restarting splunkd. Apparently it keeps a lock on the csv file that's to be overwritten until the service restarts.
I have the same problem. Building the 3 other lookups goes fine, but the "Host to Farm" gives this error.
I can see that it is writing a .tmp file to the same directory before it returns the error.
It also creates the file if you delete it. The only problem seems to be updating the current file, and the permissions seems ok.
The TMP-file:
The Error:
Permissions:
D:\Splunk\etc\apps\TemplateForXenApp\lookups\calendar_users.csv
RW NT AUTHORITY\SYSTEM
R Everyone
RW BUILTIN\Administrators
D:\Splunk\etc\apps\TemplateForXenApp\lookups\citrix_license_product.csv
RW NT AUTHORITY\SYSTEM
R Everyone
RW BUILTIN\Administrators
D:\Splunk\etc\apps\TemplateForXenApp\lookups\citrix_license_type.csv
RW NT AUTHORITY\SYSTEM
R Everyone
RW BUILTIN\Administrators
D:\Splunk\etc\apps\TemplateForXenApp\lookups\ica_devicetypes.csv
RW NT AUTHORITY\SYSTEM
R Everyone
RW BUILTIN\Administrators
D:\Splunk\etc\apps\TemplateForXenApp\lookups\lookup_farms.csv
RW NT AUTHORITY\SYSTEM
R Everyone
RW BUILTIN\Administrators
D:\Splunk\etc\apps\TemplateForXenApp\lookups\lookup_host_farm.csv
RW NT AUTHORITY\SYSTEM
R Everyone
RW BUILTIN\Administrators
D:\Splunk\etc\apps\TemplateForXenApp\lookups\lookup_pubapp.csv
RW NT AUTHORITY\SYSTEM
R Everyone
RW BUILTIN\Administrators
D:\Splunk\etc\apps\TemplateForXenApp\lookups\lookup_service_groups.csv
RW NT AUTHORITY\SYSTEM
R Everyone
RW BUILTIN\Administrators
D:\Splunk\etc\apps\TemplateForXenApp\lookups\winHosts.csv
RW NT AUTHORITY\SYSTEM
R Everyone
RW BUILTIN\Administrators
Thanks for the quick reply. Do you mean the service account in the index server or on the xenapp server that has UF installed?
Thanks
The error you are getting means the service account that Splunk is running as does not have write access to c:\program files\splunk\etc\apps\SplunkAppForXenApp\lookups
I have the same problem. Building the 3 other lookups goes fine, but the "Host to Farm" gives this error.
I can see that it is writing a .tmp file to the same directory before it returns the error.
It also creates the file if you delete it. The only problem seems to be updating the current file, and the permissions seems ok.
This only happens when Splunk is running on a Windows platform. As stated above, the lookup generates a temporary file and then tries to move it to the final file. TRANSFORMS.CONF is blocking this from happening. I just updated the XenApp template on apps.splunk.com with a workaround that should resolve the issue.
I will give the new app a try when I find the time.
For your information I have found a similar wierd permissions-issue (On windows) which is explained here: http://answers.splunk.com/answers/215816/after-upgrading-splunk-app-for-microsoft-exchange.html
I will use the ProcMon approach on the Citrix-app also, and post updates here.
It is not set to read only.
Make sure the folder is not set to read only as well.
I checked on my XenApp servers and the Forwarder run as Local system. The folder mentioned above has system set as full control.
The account on the index. Basically, that rebuild zone farm lookup search builds a lookup table that is stored on the indexer.
Thanks for the quick reply. Do you mean the service account in the index server or on the xenapp server that has UF installed?
Thanks